Skip to content

Host Scanner Changelog

This is the list of version numbers of the Cryptosense Host Scanner. Each version number is shown with a list of changes brought by that version.

0.9.9 - 2023-05-15

Changed

  • [General] --password argument does not appear by default in trace arguments. Use --allow-secrets-in-trace to write it again in the trace.

Added

  • [General] Add --tag argument to host-scanner. Can be specified multiple times. The provided tags are written in the trace header.
  • [General] Add --allow-secrets-in-trace argument to host-scanner. This argument will allow --password argument to be written in trace.
  • [General] Add --max-files-per-second argument to host-scanner. This argument sets a limit on the number of files scanned per second. 0 is considered as no limit and is the default value."
  • [General] Add --work-load argument to host-scanner. This argument sets a limit, as a percentage, on the CPU load of the Host Scanner during its execution. Default value is 100% (no limit).
  • [General] Add --exclude argument to host-scanner. Can be specified multiple times. The provided files or directories are not scanned.
  • [zip] Add zip module and basic parsing of zip files.

0.9.7 - 2023-01-04

Changed

  • [PKCS#12] Remove unnecessary warnings about PKCS#12 parsing.
  • [Certificates] Add missing algorithm identifier for md2withrsa signature.
  • [General] Add alternative algorithm identifier for DSA keys.
  • [General] Improve reporting of unknown algorithm identifiers.

Added

  • [PPK] Detect PPK files (used by Putty) and extract their content.
  • [PKCS#7] Detect PKCS#7 files and extract their content.
  • [SSH] Add the parsing of the public keys coming from SSH certificates.

0.9.6 - 2022-09-15

Changed

  • [PEM] Extract all certificates from concatenated PEM files.

Added

  • [General] Added the --password option to try the decryption of PBE encrypted informations.
  • [PKCS#12] Extract content of Data items.
  • [PKCS#12] Extract content of EncryptedData items if --password is provided and decryption succeeds.
    • Support of PBES2 encryption with pbkdf2 as KDF, AES-(128/192/256)-(ECB/CBC) and 3DES-CBC as encryption schemes.
    • Other algorithms are not decrypted but the algorithm names are exported for analysis.

0.9.5 - 2022-06-28

Changed

  • Deprecate the --include-keys option. Keys are now included by default.
  • Detect PEM blocks preceded by some plain text, up to 32 kiB after the beginning of the file. Previously PEM content was only detected at the beginning of a file.

Added

  • Detect JCEKS keystores and extract their content, if unencrypted.
  • Add support for Windows.

Fixed

  • Fix crash on certificates containing invalid UTF-8 strings inside distinguished names.
  • Fix crash on some malformed PGP keys.
  • Increase robustness of scanner against parsing bugs by making it recover and continue scanning.
  • Fix a situation where some combinations of command-line options caused the same parser modules to be applied to files more than once.
  • Ensure correct JSON encoding of the trace header (e.g. correct escaping of \ characters in Windows file paths).
  • Fix crash on keystore private key entries with empty certificate chains.
  • Fix failure to detect PEM files with Windows CRLF line endings.
  • Fix crash on some special files where true and reported file lengths differ (e.g. in /sys).

0.9.4 - 2022-04-08

Changed

  • Change the --max-file-size option to interpret 0 as "no size limit". Any strictly positive value is interpreted the same way as before (file cutoff in bytes).

Fixed

  • Improve encoding of certificate serial numbers so that such certificates have a better chance of being correctly matched with certificates coming from other sources such as the Java Tracer.
  • Improve performance of scanning:
    • Improve detection of ASN.1 files to reduce memory usage and time spent in scans.
    • Exclude CPIO and system map files from scan.

0.9.3 - 2022-03-02

Added

  • Add option --max-file-size to change the size limit for scanned files. The default value is 1 MB.

Changed

  • Limit the amount of data read from any single file to 1 MB by default. This avoids performance issues when large files are mistaken for ASN.1 files.

Fixed

  • Prevent the host scanner from missing some files when /sys is in the scope of the scan, even if those files are outside of /sys.

0.9.2 - 2022-02-01

Added

  • Add initial support for PKCS#12 keystores

Changed

  • Fix host name for Docker image scans: it now reports the image name.

0.9.1 - 2021-10-29

Fixed

  • Fix container image file locations to not contain the temporary prefix used for scanning (e.g. /etc/ssl/cert.pem instead of /tmp/tmp_name/etc/ssl/cert.pem).

0.9.0 - 2021-10-13

Added

  • Add initial support for PGP keys.

0.8.0 - 2021-08-04

Fixed

  • Catch and handle "end of file" errors coming from the Java static scanner if it is used in combination with the host scanner.

0.7.1 - 2021-07-29

Added

  • Add on-the-fly gzip compression of scans.

Fixed

  • Fix stack overflow when scanning files with a large number of line breaks.
  • Improve error message when the host scanner is used in combination with the Java static scanner.

Changed

  • Rename CLI option --static_scanner_path to --static-scanner-path
  • Rename CLI option --image_name to --image-name

0.7.0 - 2021-07-09

Added

  • Add Docker image scanning.

0.6.0 - 2021-06-11

Added

  • Add support for EC and DSA private keys and certificates.
  • Add support for DER encoding.
  • Include encoded certificates in the scan file.

0.5.0 - 2021-04-16

Added

  • Add hard-coded strings parsing of JAR files.

0.4.0 - 2021-02-10

Added

  • Add parsing of JKS keystores.

0.3.0 - 2020-04-27

Added

  • Add a progress bar showing the number of files scanned.

Changed

  • Change log level of "Unknown OID" message from warning to debug.

Fixed

  • Improve performance on large directory trees: less RAM usage, less computing and fewer syscalls.
  • Fix file being counted twice, and potential infinite loop, by not following symbolic links.
  • Fix freeze on files without an end, such as some special files in /sys/kernel.

0.2.0 - 2020-04-16

Changed

  • Make host scanner a lot less verbose by default.

Fixed

  • Fix stack overflow when scanning large directories.

Added

  • Add --verbose and --quiet options to control the verbosity.

0.1.0 - 2020-04-07

Initial release.